Network Working Group F. Templin, Ed.
Internet-Draft Boeing Phantom Works
Intended status: Informational October 23, 2008
Expires: April 26, 2009
Routing and Addressing in Next-Generation EnteRprises (RANGER)draft-templin-ranger-02.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 26, 2009.
Abstract
Enterprise networks will require support for both Internet protocol
versions (IPv4 and IPv6) for an indeterminant period; perhaps even
indefinitely. This is particularly true for existing enterprise
networks that must introduce IPv6 without disruption of IPv4
services, but the same principles apply also to clean-slate
deployments in new enterprises. Next-generation enterprises
therefore require an architected solution for coordination of their
internal routing and addressing plans for both IPv6 and IPv4. The
RANGER architecture addresses these requirements.
Templin Expires April 26, 2009 [Page 1]

Internet-Draft RANGER October 20081. Introduction
Enterprise networks will require support for both Internet protocol
versions (IPv4 and IPv6) for an indeterminant period; perhaps even
indefinitely. This is particularly true for existing enterprise
networks that must introduce IPv6 without disruption of IPv4
services, but the same principles apply also to clean-slate
deployments in new enterprises. Next-generation enterprises
therefore require an architected solution for coordination of their
internal routing and addressing plans for both IPv6 and IPv4. The
RANGER architecture addresses these requirements, and provides a
framework for IPv6/IPv4 coexistence [I-D.arkko-townsley-coexistence].
RANGER is a scalable architecture for routing and addressing in next-
generation enterprise networks that may contain many disjoint
interior addressing domains. Each of these domains may coordinate
their own internal addressing plans independently of one another such
that limited-scope addresses (e.g., [RFC1918] private-use IPv4
addresses) may be reused with impunity to provide unlimited scaling
through spatial reuse. These disjoint domains therefore appear as
enterprises unto themselves, such that a model of recursively nested
"enterprises-within-enterprises" is enabled.
Without an architected approach, routing and addressing within such a
framework would be fragmented due to limited-scope address/prefix
reuse between disjoint addressing domains. However, the entire
enterprise can be unified via a virtual overlay architecture
mainfested by automatic tunneling over disjoint domains
interconnected via border routers.
RANGER provides an architecture for operation of virtual overlay
networks within a diverse range of enterprise network scenarios, as
outlined in the following sections. While RANGER discusses the
specific instance of IPv6 as a virtual overlay for connecting
disjoint IPv4 domains, it is important to note that the same
architectural principles apply to any combination of IP virtual
overlays over disjoint IP addressing spaces.
2. Terminology
commons
a routing region within an enterprise that provides a subnetwork
for cooperative peering between the border routers of diverse
organizations that may have competing interests. A prime example
of a commons is the Default Free Zone (DFZ) of the global
Internet.
Templin Expires April 26, 2009 [Page 3]

Internet-Draft RANGER October 2008
enterprise
the same as defined in [RFC4852], where the enterprise deploys a
unified IPv4 routing and addressing plan but may internally
contain many disjoint addressing domains and/or organizational
groupings that can be considered as enterprises/sites unto
themselves. An enterprise therefore need not be "one big happy
family", but instead provides a commons for the cooperative
interconnection of diverse organizations that may have competing
interests (e.g., such as the case within the global Internet
default free zone).
Enterprise networks are typically associated with large
corporations or academic campuses, however the RANGER
architectural principles apply to any network that has some degree
of cooperative active management. This definition can therefore
be extended to home networks, small office networks, a wide
variety of mobile ad-hoc networks (MANETs), and even to the global
Internet itself.
site
a logical and/or physical grouping of interfaces within an
enterprise, where the site may be less than or equal to an
enterprise in scope. A site may contain many interior
enterprises/sites, which may themselves contain many interior
enterprises/sites in a recursive fashion. At the lowest level of
decomposition, a singleton Border Router can be considered as an
enterprise/site unto itself.
enterprise/site Throughout the remainder of this document, the term
"enterprise" is used to collectively refer to either enterprise or
site, i.e., the RANGER principles apply equally to enterprises and
sites of any size or shape.
Border Router (BR)
an IPv6/IPv4 dual-stack node at the edge of an enterprise and that
is also configured as an IPv6 router in an overlay network. BRs
connect their directly-attached IPv6 networks to the overlay
network, and connect to other IPv6 networks via IPv6-in-IPv4
tunneling across the commons to other BRs.
Border Gateway (BG)
a BR that also connects the enterprise to provider networks and/or
to the global Internet. BGs are typically configured as default
IPv6 routers, and provide forwarding services for accessing IPv6
networks not reachable via a BR within the commons.
Templin Expires April 26, 2009 [Page 4]

Internet-Draft RANGER October 2008
overlay network
a virtual network manifested by IPv6 routing and addressing over
virtual links formed through automatic IPv6-in-IPv4 tunneling. An
IPv6 overlay network may span many underlying IPv4 enterprises/
sites.
6over4
Transmission of IPv6 over IPv4 Domains without Explicit Tunnels
[RFC2529]; functional specifications and operational practices for
automatic tunneling of unicast/multicast IPv6 packets over
multicast-capable IPv4 enterprises/sites.
ISATAP
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
[RFC5214]; functional specifications and operational practices for
automatic tunneling of unicast IPv6 packets over unicast-only IPv4
enterprises/sites.
VET
Virtual Enterprise Traversal (VET) [I-D.templin-autoconf-dhcp];
functional specifications and operational practices that provide a
functional superset of 6over4 and ISATAP. In addition to both
unicast and multicast tunneling, VET also supports address/prefix
autoconfiguration as well as extra encapsulations such as IPSec,
SEAL, LISP, etc.
SEAL
Subnetwork Encapsulation and Adaptation Layer (SEAL)
[I-D.templin-seal]; a functional specification for robust and
authenticated path MTU assurance over IPv6-in-IPv4 tunnels. Also
provides authentication for other ICMP error messages, and adapts
to subnetworks with diverse link characteristics.
3. The RANGER Architecture
The RANGER architecture enables scalable IPv6 routing and addressing
in next-generation enterprise networks, while sustaining support for
legacy IPv4 networks and services. Key to this approach is a
framework that accommodates interconnection of diverse organizations
with a mutual spirit of cooperation, but with the potential for
competing interests. The following sections outline the RANGER
architecture within the context of anticipated use cases:
3.1. The Enterprise-within-Enterprise Framework
Enterprise networks traditionally distribute routing information via
Interior Gateway Protocols (IGPs) such as Open Shortest Path First
Templin Expires April 26, 2009 [Page 5]

Internet-Draft RANGER October 2008
Internet via routers 'R1' through 'Rn' and additional enterprises
'E2' through 'EN' that also connect to the global Internet. Within
the 'E1' commons, there may be arbitrarily-many IPv4 hosts, routers
and networks (not shown in the diagram) over which IPv4 packets can
be forwarded and IPv6 packets can be tunneled. There may also be
many internal enterprises/sites 'E1.1' through 'E1.m' (shown in the
diagram) that interconnect within the 'E1' commons via Border Routers
(BRs) depicted as 'X1' through 'X9' (where 'X1' through 'X9' see 'R1'
through 'Rn' as Border Gateways (BGs)). Within each 'E1.*'
enterprise, there may also be arbitrarily-many IPv4 networks/nodes as
well as lower layer enterprises/sites that interconnect within the
'E1.*' commons via BRs depicted as 'Y1' through 'Y9' in the diagram
(where 'Y1' through 'Y9' see 'X1' through 'X9' as BGs). This
hierarchical decomposition can be recursively nested as deeply as
desired, and ultimately terminates at singleton IPv6/IPv4 dual-stack
systems such as those depicted as 'V', 'W' and 'Z' in the diagram.
It is important to note that dual-stack systems such as 'V', 'W' and
'Z' may be simple IPv6/IPv4 hosts, or they may be BRs that attach
arbitrarily-complex IPv6-only edge networks. Such IPv6-only edge
networks could be as simple as a home network behind a residential
gateway, or as complex as a major corporate/academic campus, a large
service provider network, etc.
Again, this enterprise-within-enterprise framework can be recursively
nested as broadly and deeply as desired. From the ultimate level of
the hierarchy, consider now that the global Internet itself can be
viewed as an "enterprise" that interconnects E1 through EN such that
all RANGER architectural principles apply equally within the global
Internet context.
As a specific case in point, the future global Aeronautical
Telecommuncations Network (ATN) under development within the civil
aviation industry [I-D.bauer-mext-aero-topology] will take the form
of a large enterprise network that appears as an Internet unto
itself, i.e., exactly as depicted for 'E1' in Figure 1. Within the
ATN, there will be many Air Communications Service Provider (ACSP)
and Air Navigation Service Provider (ANSP) networks organized as
autonomous systems internal to the ATN, i.e., exactly as depicted for
'E1.*' in the diagram. The ACSP/ANSP network BGs will participate in
a BGP instance internal to the ATN, and may themselves run
independent BGP instances internally and be further sub-divided into
enterprises/sites organized as regional, organizational, functional,
etc. compartments. It is important to note that, while ACSPs/ANSPs
within the ATN share a common objective of safety-of-flight for civil
aviation services, there may be competing business/social/political
interests between them such that the ATN is not necessarily "one big
happy family". Therefore, the model parallels that of the global
Templin Expires April 26, 2009 [Page 7]

Internet-Draft RANGER October 2008
'vet1' through 'vet3' manifested through Virtual Enterprise Traversal
(VET) [I-D.templin-autoconf-dhcp]. Each 'vet*' interface within this
framework is Non-Broadcast, Multiple Access (NBMA), and connects all
BRs within the same enterprise. Each enterprise within the 'E1'
hierarchy may configure an independent routing and addressing plan
from a common (but spatially reused) limited-scope IPv4 prefix, e.g.,
depicted as '10/8' in the diagram. The BR for each 'E1*' enterprise
receives an IPv6 prefix delegation from a delegating BG, depicted
above as sub-delegations of the prefix '2001:DB8::/40'.
Along with the Subnetwork Encapsulation and Adaptation Layer (SEAL -
see: Section 3.4), VET specifies the necessary mechanisms and
operational practices to manifest the RANGER architecture as depicted
in the example above as well as in any such similar example. In
particular, VET allows 'V', 'Y1', 'X2' and 'R2' to configure separate
'vet*' interfaces for each enterprise they connect to, and to
discover BGs through a static name service resolution (or, mapping)
as specified in [I-D.templin-autoconf-dhcp]. After tunnels 'vet1'
through 'vet3' are established and BG's discovered, the BRs connected
to a 'vet*' interface can run an IPv6 routing protocol such as
OSPVFv3 [RFC5340] and form adjacencies between themselves while
treating the 'vet*' interface as an ordinary IPv6 link. This allows
an IPv6 overlay network that spans 'E1' to automatically form and
dynamically adapt to changing conditions within the enterprise.
In the example shown in Figure 2, a simple IPv6 host 'H' is attached
to a shared link with IPv6/IPv4 dual stack node 'V'. IPv6 host 'H'
uses standard IPv6 neighbor discovery mechanisms to discover 'V' as a
default IPv6 router that can forward its packets off the local link,
while 'V' sees node 'Y1' as a BG that can be reached via 'vet1' and
that can forward packets toward IPv6 server 'S1'. Similarly, node
'Y1' is a BR for the enterprise spanned by 'vet2' that sees 'X2' as a
BG, and node 'X2' is a BR for 'vet3' that sees 'R2' as a BG that
connects 'E1' to the global IPv6 Internet.
In a second example, Figure 3 depicts an instance of on-demand
discovery of more-specific routes in which an IPv6 host 'H' connects
to an IPv6 server 'J' located in a different organizational entity
within 'E1':
Templin Expires April 26, 2009 [Page 9]

Internet-Draft RANGER October 2008
translator would then use IPv6-to-IPv4 translation before sending
packets onwards toward 'S2'. These and other alternatives are
discussed in [I-D.wing-nat-pt-replacement-comparison].
In a final instance, the RANGER architecture currently makes no
provisions for an IPv4 client 'K' to use IPv4-only services to access
an IPv4 server 'M' in a different enterprise within 'E1' that
configures a disjoint addressing domain. Until an architected
approach is devised, 'K' would only be able to access 'M' using IPv6-
only services.
3.4. Subnetwork Encapsulation and Adaptation Layer (SEAL)
Whenever the BRs of disjoint enterprises/sites are joined across a
commons, mechanisms that rely on ICMP feedback from routers within
the network may become brittle or susceptible to spoofing attacks.
This is due to the fact that ICMP messages can be lost due to
congestion or packet filtering gateways, and that network middleboxes
are essentially "anonymous" and may include insufficient information
in ICMPs that can be used to authenticate their source. ICMP
messages can therefore be forged by anonymous attackers, e.g., from a
rogue node within an enterprise that has malicious intent toward
another enterprise.
The Subnetwork Encapsulation and Encapsulation Layer (SEAL) provides
effective means for BRs to avoid these shortcomings by accepting only
authenticated feedback from correspondent BRs that can be validated
as Potential Routers within the commons (i.e., the subnetwork) using
the mechanisms of [I-D.templin-autoconf-dhcp]. Moreover, SEAL does
not require reliable delivery of all ICMPs, but rather supports
continued operation even if some/many ICMPs are lost. Finally, SEAL
adapts to subnetworks that contain links with diverse bandwidth and
MTU size properties, and indeed allows for discovery and eradication
of marginal links.
The advantages of using SEAL within the RANGER enterprise-within-
enterprise framework are tangible, and compare favorably with the
alternative of deploying an all-IPv6 infrastructure even for clean-
slate deployments. This is especially true within enterprises that
provide a commons for joining organizational/political/functional
entities with a spirit of mutual cooperation but with competing
interests or objectives.
3.5. Mobility Management
When a mobile IPv6 node within an enterprise network moves to a new
IPv6 link, it can use mobility management mechanisms such as Mobile
IPv6 [RFC3775] or HIP [RFC4423] to maintain a stable identifier even
Templin Expires April 26, 2009 [Page 12]

Internet-Draft RANGER October 2008
as it moves between foreign links.
When a mobile BR moves to a new enterprise, it can renumber its IPv4
address(es) (i.e., its locators) and communicate these changes to
peers using a mechanism such as MobIKE [RFC4555]. In that case, it
can still retain its IPv6 addresses and/or prefixes without need for
renumbering.
4. Initiatives Related to RANGER/VET/SEAL4.1. 6over4 and ISATAP
Long before the RANGER architecture and VET/SEAL specifications were
published, 6over4 [RFC2529] specified a means for automatic tunneling
of unicast/multicast IPv6 packets over multicast-capable IPv4
enterprises, however it was unable to function in enterprises that
did not support a full deployment of IPv4 multicast services.
To address these shortcomings, ISATAP (a unicast-only variant of
6over4) [RFC5214] was specified and widely implemented among major
software and equipment vendor products. ISATAP provides unicast-only
neighbor discovery mechanisms and also adds a means for determining
whether a node on an ISATAP interface is authorized to act as an IPv6
router; namely, the Potential Router List (PRL).
VET provides a functional superset of the 6over4 and ISATAP
mechanisms; VET further combines with SEAL to provide the functional
elements of the RANGER architecture.
4.2. The Locator Identifier Split Protocol (LISP)
The Locator-Identifier Split Protocol (LISP) [I-D.farinacci-lisp]
proposes a map-and-encaps architecture for scalable routing and
addressing within the global Internet Default Free Zone (DFZ). LISP
is in essence a specific manifestation of the RANGER architecture
applied to the global Internetworking use case. All RANGER
architectural principles therefore apply equally to LISP.
5. IANA Considerations
There are no IANA considerations for this document.
6. Security Considerations
Communications between endpoints within different enterprise networks
Templin Expires April 26, 2009 [Page 13]

Internet-Draft RANGER October 2008
are carried across a commons that joins organizational entities with
a mutual spirit of cooperation, but between which there may be
competing business/sociological/political interests. As a result,
mechanisms that rely on feedback from routers on the path may become
brittle or susceptible to spoofing attacks. This is due to the fact
that IP packets can be lost due to congestion or packet filtering
gateways, and that the source addresses of IP packets can be forged.
IP packets can therefore be generated by anonymous attackers, e.g.,
from a rogue node within a third-party enterprise that has malicious
intent toward a victim.
Path MTU discovery is an example of a mechanism that relies on ICMP
feedback from routers on the path, and as such is susceptible to
these issues. For IPv4, a common workaround is to disable Path MTU
Discovery and let fragmentation occur in the network if it must. For
IPv6, lack of fragmentation support in the network precludes this
option such that the mitigation typically recommended is to discard
ICMP messages that contain insufficient information and/or to operate
with the minimum IPv6 path MTU. This example extends also to other
mechanisms that either rely on or are enhanced by feedback from
network devices, however attack vectors based on non-ICMP messages
are also subject for concern.
The RANGER architecture supports effective mitigations for attacks
such as distributed denial-of-service, traffic amplification, etc.
In particular, when VETand SEAL are is used, enterprise BGs can use
the identification encoded in the SEAL header as well as ingress
filtering to determine if a message has come from a topologically-
correct enterprise located across the commons. This allows
enterprises to employ effective mitigations at their borders without
the requirement for mutual cooperation from other enterprises. When
source address spoofing by nodes located within the commons is also
subject for concern, additional securing mechanisms such as tunnel-
mode IPsec between enterprise BGs can also be used.
While the RANGER architecture does not in itself address security
considerations, it proposes an architectural framework for functional
specifications that do. Security concerns with tunneling along with
recommendations that are compatible with the RANGER architecture are
found in [I-D.ietf-v6ops-tunnel-security-concerns].
7. Related Work
The RANGER architecture principles can be traced to the deliberations
of the ROAD group in January 1992 [RFC1380], and likely also to other
early works including Nimrod [RFC1753]. [RFC1955] captures the high-
level architectural aspects of the ROAD group deliberations in a "New
Templin Expires April 26, 2009 [Page 14]

Internet-Draft RANGER October 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Templin Expires April 26, 2009 [Page 18]